Comparison of Different Techniques for Detecting ...

International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 5, May 2016

Comparison of Different Techniques for Detecting Malware in Smartphones Muhammad Waqas Azeem*, Muhammad Shahzad Sarfraz, Umar Shoaib Department of Computer Science, Faculty of Computing & Information Technology University of Gujrat, Hafiz Hayat Gujrat, Pakistan. Abstract- Smartphones are very common nowadays and these are available with different operating systems which support variety of smartphone applications .The main types of smartphone Operating Systems are Android, IOS, Windows, and Black Berry. Android application market is growing rapidly but most of smartphone users are unaware of threats of malicious Android applications. Malicious smartphone applications use extra bandwidth data than the normal applications. These malicious applications use extra memory and reduce the processing speed. The other threats which are affecting the performance of smartphones are stealing user’s personal information, consuming extra battery power, displaying annoying ads, and sending messages on premium rates. Researchers have proposed different techniques for detecting bugs, malware and stealthy behavior in smartphone applications however there is need of comparison between malware detection techniques to help the smartphone stakeholders who want to know about hazards of malicious applications. This article provides a complete review of three existing smartphone malware detection techniques which are energy consumption, static analysis, dynamic analysis along with their comparison and different types of malwares. The results from this article showed that detecting malware through energy consumption needs extra hardware to find out the exact value of power consumed by benign application however in static analysis technique more efficient and enhanced algorithms are need to be added whereas detection through dynamic analysis provided better results. Keywords: Smartphone, Malware, Techniques, Stealthy

I. INTRODUCTION Smartphones are not used only for call or message but they are also used for entertainment and productive work. Smartphones provide variety of functions these functions are performed through their applications. These applications are executed by operating system. There are different types of operating systems for smartphones and most popular are Android, IOS, Black Berry, and Windows. Android based smartphones are growing rapidly but these are easy target for attackers [19]. Users can easily install any application from Android market. There are many users who keep their mobile data and Bluetooth services always active which provide an easy connection to attackers [24]. There are some malicious applications as well in this market these malicious applications can steal user’s personal information without their knowledge and some applications use the processing power of smartphone [7]. There are different types of threats in smartphone applications some common threats are stealthy behavior, and bugs. Stealthy behavior in smartphones is that user of application is un-aware about the hidden targets of the application which are set by attacker. These targets can be very dangerous for the user. Attackers can get access to personal data of the users through these applications without their knowledge. These applications send unwanted HTTP requests and messages without the knowledge of user. These requests use mobile data which consume balance. Some malicious applications also consume extra battery of smartphone. Some frequent kinds of bugs in smartphone are GUI lagging, energy leak, and memory bloat [1]. Researchers worked to handle and detect these threats and bugs. We presented a detailed review of existing malware detection techniques along with their

642

https://sites.google.com/site/ijcsis/ ISSN 1947-5500


comparison to find out the efficient malware detection technique. The purpose to present comparison between different malware detection techniques is to help out the smartphone stakeholders. The structure of the paper is as follows. In background section previous work about smartphone malware detection techniques is introduced. Three main types of malware detection techniques are presented with details in smartphone malware detection techniques section. Conclusion of the paper is presented in conclusion section. II.

BACKGROUND

The rapid increase in the use of smartphone applications is also getting attention of the researchers to work on smartphones. The researchers are trying to make smartphone applications secure. Different techniques were presented to secure these applications. Stealthy behavior can be detected through analyzing user interface [2]. They proposed that user interface of malicious applications mismatch with their actual function and if user interface is analyzed with code then malicious behavior can be detected. Normally the attackers change the code behind the user interface. The user does not know about the business logic of application. For example a user wants to send an email after writing email address of the receiver the user clicks the send button there is a possibility of any other stealthy email address behind the code of send button. So the email will also send to that stealthy email address without user’s knowledge. Malware in Android smartphones can be detected through analyzing the semantic of application [7]. They suggested a technique and named it Apposcopy which was based on semantic approach and signature based language to detect malware that had stealthy behavior. This approach was limited to only a specified type of malware. A virtual environment Airbag for malicious applications was designed that worked separately from original Operating System of smartphone. Malicious applications executed themselves in this virtual Operating System separately [8]. Problem arises if a user installs benign application it will also execute in this virtual environment because they did not mention any method for distinguishing between malicious and benign application. As this virtual environment had limited resources of smartphone the benign application will not work properly in it. This environment also uses the separate memory and processing of smartphone which is not economically accepted. However malicious apps can be distinguished from benign apps through their context. Schlegel et al. designed a Trojan Souncomber to steal the personal information like credit card details using microphone of the smartphone [10]. They designed it to steal the personal information like credit card numbers. The application recorded the audio and extracted the information from recorded sound. They also proposed security approach against this application. App clone is another threat to smartphone applications [3]. The attackers modify the original code and add their own code beside it. Attackers also add the advertisements in these applications to get revenue. They publish these software in different app markets. Attackers clone one application in another to make a new application. Detecting such applications is not very easy because they use the original code of application and add malicious code and advertisement in it to get revenue and publish it in market. A centroid based technique was used to find app clones. There are three types of threats for smartphone which are malware, personal Spyware and Grayware [4], [16]. They argued that malware uses personal information and also send messages on premium rates without the knowledge of user, Spyware and Grayware steals user’s information. A system AppDoctor was used for finding the bugs in Android applications [9]. This system was only for widgets

643



applications with many limitations they tested it on few applications. This system gave output in the form of report about bugs. AppDoctor collected the data of input actions and then input was given to check for the bugs and then reported the action that caused application crash. An anti malware system Andro-profiler was proposed by [22]. It was behavior profiling system consist of mobile devices and a remote server. They used system calls and logs for characterizing malwares. They assume that malware have distinctive behavior pattern. System calls can find out malicious behavior and these system calls can affect the behavior of malware. After comparison of behavior profile with malware they detected malwares. This system had limitations it was dependent on SDK version of emulator only. Model based testing is another way to test smartphone applications [11]. They used a MP3 player application and minimized the model based test suite through hybrid model based testing technique. A lattice was used to minimize the feasible paths to cover all actions of application. They also discussed the disadvantages of model based testing. Model based testing is more helpful to finding bugs. Model based testing can also be used for GUI testing in smartphone applications [6]. They used an s60 mobile application and tested it through model. S60 applications are for those Nokia mobiles which are not in smartphone category. They concluded that model based testing is very efficient technique. Both static and dynamic analysis techniques were used in a hybrid system to detect malware [23]. This system contained anomaly detection with signature detection engine. Through dynamic analysis new and unknown malware were reported then signature detection engine detected the known malware using static and dynamic analysis. This system was unable to find malware in HTML5-based applications. III.

SMARTPHONE MALWARE DETECTION TECHNIQUES

Malicious malware shows abnormal behavior in smartphones. This abnormal behavior can harm the user in very dangerous ways like sending user’s private information to unknown server. These malwares target different operating systems like Android, IOS, Black Berry and Windows mobile. Usually Android smartphones are more common therefore Android malwares are also increasing day by day. Malicious applications also use processing power of the smartphones these malicious applications also consume extra battery power. Researchers have worked on different techniques to detect malicious smartphone applications. Some common malware detection techniques for smarphones are static analysis, dynamic analysis, and detection through energy consumption. The three types of malware detection techniques are shown in Fig I. There are many symptoms a smartphone has to suffer when it is affected by these malicious applications [14]. Different types of malware with their target operating systems and types of threat are given in Table I. These types of malwares have threats for smartphone users like stealing user’s personal information, extra power consumption and reducing the processing speed. FlexiSpy is very common type of malware in smartphones. This type of malware has stealthy behavior and a serious threat for user’s personal information. Cabir and Mabir are both same type of malware with only one difference that Mabir spreads through Bluetooth and SMS while Cabir attack only through Bluetooth.

644



Figure. I. Malware Detection Techniques

DroidDream is the most popular type of malware in Android smartphones. All these Malware types disturb the normal execution of the software. Smartphone Malware causes malicious behavior. They steal personal information of the user without their knowledge. There are few types of malware which also attack Symbian mobiles along with smartphones like FlexiSPY, Cabir, and Mabir.

TABLE I MALWARE TYPES

Malware

Type of Threat

OS

Stealing Messages and Call Data

Symbian, Mobile

Use Bluetooth to spread itself

Symbian

FlexiSPY

Windows

Cabir Symbian Use Bluetooth and SMS to spread Mabir Steal user’s personal information such as SMS,Photos, Location information, Contacts, etc.

Android, Windows Mobile, Black Berry

Provides unrestricted access to kernel to other malwares

Android

Rootkits

Send Malicious messages

through

Android

Genimi

Get access to mobile information without user’s knowledge

Android

Adware

DroidDream

A.

links

Energy Consumption

The malicious applications also consume extra battery power than benign smartphone applications. Malicious application which exhibits malicious behavior also consumed extra power to do this. This behavior can be identified through monitoring power consumption of application if the normal power consumption of application is found

645



accurately [12]. The extra power which is consumed by malicious application is too little to detect [13]. They also argued that no such software is available to detect this and it is difficult to find the accurate value of power consumed by benign application. Liu et al. [14] proposed VirusMeter to detect smartphone malware. This technique was based on power consumption. They detected the abnormal behavior of malicious applications through monitoring power consumption. They detected real world malware like Cabir and FlexiSpy through VirusMeter. Detecting malware through energy consumption can be more helpful if the actual value of energy consumption of a benign application is known. For this purpose extra hardware is required which can measure the actual value of energy consumption.

Figure. II. Malware Detection Techniques

In Fig. II the abnormal power consumption curve shows the power anomaly which is caused by malware. The other curve shows normal power consumption of a benign application which is very low from the level of abnormal power consumption curve. B.

Static Analysis

Static code analysis is another way for malware detection in smartphones. Android smartphones malware can be detected through semantics [7]. They proposed an approach Apposcopy. It used static analysis for malware detection through malware signature. Signature matching algorithm was used with static analysis and inter component call graph to detect the malicious smartphone applications. They evaluated it on real world applications and proved that it worked accurately. A summary of static approach techniques is presented in Table. II [21]. All these techniques adopted static approach like VirusMeter was based on power consumption and it used static analysis to find out the malware in smartphones. The static program analysis technique was used to extract the security sensitive behaviors and then these behaviors were used to find out the difference between malicious and benign smartphone applications [5]. They based the context of applications to find out the malicious applications. In [2] the static program analysis technique was used to link functions with user interaction function. They analyzed the user interface text with the function. They argued that if they have different semantic then they have stealthy behavior.

646



TABLE II STATIC APPROACH TECHNIQUES FOR MALWARE DETECTION

Method Name

Technique

Features

Method

Bose

Application Actions

SVM

pBMDS

Keyboard Operation and LCD Display Logs

Hidden Markov Model

Power Usage

Logistic Regression, Neural Networks and Decision Trees

DroidMat

Permission and Application Components

Clustering and K- Nearest Neighbor

Scmidt

Function Calls

Clustering Algorithm

VirusMeter Static Approach

C. Dynamic Analysis App clone is also a threat for smartphones [3]. The original application code is modified and a clone application is designed the clone applications also include malware, and adware. In [2] the author used centroid to find the similarity of code fragments between two applications. They examined it on different android markets and this technique worked effectively. In [17] the author used dynamic analysis of the behavior of application to detect malware. They found those SDK’s which were mostly used by malicious applications. They created an artificial smartphone framework for malware detection. They proved that by applying this framework on a prototype system produced more accurate results to differentiate between malicious and benign applications. Enck et al. provided real time dynamic analysis with virtualized execution environment of Android smartphones [18]. They tracked the privacy data flow through third party applications and then they monitor how these applications accessed user’s personal information. They tested this technique on various applications and found that two thirds of these applications had malicious behavior. A permission based technique was proposed in [15]. They developed a system ‘TISSA’. They proposed that there should be a privacy mode in smartphones. So that user could install any application in this mode by limiting application’s access to personal information. Malware detection techniques are discussed in Table. III. Apposcopy was designed to detect only few specific types of malware. It was not tested on all other malwares. It was semantic based approach. AirBag was basically a virtual operating system to execute malicious applications with limited resources but benign applications also executed in this virtual operating system because no technique was adopted to execute benign applications in normal operating system of smartphone. AsDroid was tested on 183 applications and it detected 113 malicious apps successfully. Shabtai et al. presented the research work along with their detection methods [20]. They proposed a Host Based Malware Detection System for checking smartphone’s working. Then they applied Machine Learning anomaly to detect normal and malicious data.

647



They designed malicious applications for Android phones and evaluated them through their proposed system. TABLE III DETECTION TECHNIQUES FOR MOBILE SECURITY

Detection Technique

Description

Detection Result

AsDroid

find the difference between user interface and program behavior

182 apps were tested and 113 apps were reported stealthy behavior

PerfChecker

a static analysis technique was used , to find known bug patterns.

29 applications were tested and 126 matching instances of bug were detected

data of input actions was collected and these inputs were given to check for the bugs semantic based approach was used with signature matching algorithm

64 Android applications were tested and it detected 72 bugs

a virtual OS separate from the OS of smartphone to run Malicious applications

It was tested on three different smartphones and evaluated it on 20 Android malware

Based on energy consumption of apps

Detected malware

AppDoctor

Apposcopy

AirBag

VirusMeter

Remarks

It detected only few specific malwares

FlexiSPY

and

Only 68 bug patterns were accepted by the developers

It was only for a specific type of malware Benign apps also executed in virtual OS

Cabir

The reported malware in smartphones are given in Fig.III. It shows that 98% of mobile malware was reported in Android based smartphones. So in Android based smartphones threats are high as compared to other smartphones.

100 90 80 70 60 50 40 30 20 10 0

Android J2ME SybionOS

Figure. III. Reported Malware in Mobile Operating Systems

IV. CONCLUSION In this paper we have discussed different types of malware detection techniques. A few detection techniques have some limitations. Some are only for specific types of malware. We have also mentioned different types of malware and differentiate them with their behavior and targeted Operating System.

648



On the basis of above discussion we can say that it is difficult to find the accurate power consumption level of a benign application in malware detection through power consumption. We need to add extra hardware to resolve this problem. In Static and Dynamic analysis techniques there are good results as compare to detection through power consumption. These techniques also required more work to enhance the results. More enhanced algorithms need to be added in detection through static analysis techniques. V.

REFERENCES

[1]Y. Liu, C. Xu and S. Cheung, "Characterizing and Detecting Performance Bugs for Smartphone Applications", in International Conference of Software Engineering, India, 2014. [2]J. Huang, X. Zhang, L. Tan, P. Wang and B. Liang, "AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction", in International Conference of Software Engineering., India, 2014. [3]K. Chen, P. Liu and Y. Zhang, "Achieving Accuracy and Scalability Simultaneously in Detecting Application Clones on Android Markets", in International Conference of Software Engineering, India, 2014. [4]A. Porter Felt, M. Finifter, E. Chin, S. Hanna and D. Wagner, "A Survey of Mobile Malware in the Wild", in ACM Conference on Computer and Communications Security, 2011. [5]W. Yang, X. Xiaoy, B. Andowz, S. Li, T. Xie and W. Enckz, "AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context", in International Conference of Software Engineering, 2015. [6]M. Katara, "Experiences from ModelBased GUI testing of Smartphone Applications", in International Conference on Software Testing, Verification and Validation, 2011. [7]Y. Feng, S. Anand, I. Dillig and A. Aiken, "Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis", in International Symposium on the Foundations of Software Engineering, 2014. [8]C. Wu, Y. Zhou, K. Patel, Z. Liang and X. Jiang, "AirBag: Boosting Smartphone Resistance to Malware Infection", in Network and Distributed System Security Symposium, 2014. [9]G. Hu, X. Yuan, Y. Tang and J. Yang, "Efficiently, Effectively Detecting Mobile App Bugs with AppDoctor", in EuroSys, 2014. [10]R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia and X. Wang, "Soundcomber: A Stealthy and Context Aware Sound Trojan for Smartphones", in Network and Distributed System Security Symposium, 2011. [11]H. Kim, "Hybrid Model Based Testing for Mobile Applications", International Journal of Software Engineering and Its Applications, 2013. [12]Q. Yan, Y. Li, T. Li and R. Deng, "Insights into Malware Detection and Prevention on Mobile Phones", in Future Generation Information Technology Conference, 2009. [13]J. Hoffmann, S. Neumann and T. Holz, "Mobile Malware Detection Based on Energy Fingerprints A Dead End?", in International Symposium, RAID, 2013. [14]L. Liu, G. Yan, X. Zhang and S. Chen, "VirusMeter: Preventing Your Cellphone from Spies", in International Symposium, RAID, 2009. [15]Y. Zhou, X. Zhang, X. Jiang and V. W. Freeh, "Taming Information-Stealing Smartphone Applications (on Android)", in International Conference, TRUST, USA, 2011. [16]L. Dua and D. Bansal, "Taxonomy: Mobile Malware Threats and Detection Techniques", in International Conference on Advances in Computing and Information Technology, 2014. [17]M. Zhao, T. Zhang, J. Wang and Z. Yuan, "A Smartphone Malware Detection Framework Based on Artificial Immunology", Journal of Networks, vol. 8, no. 2, 2013. [18]W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel and A. Sheth, "TaintDroid:An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones", Communications of the ACM, vol. 57, no. 3, pp. 99-106, 2014. [19]K. Shaerpour, A. Dehghantanha and R. Mahmod, "TRENDS IN ANDROID MALWARE DETECTION", Journal of Digital Forensics, Security & Law, vol. 8, no. 3, p. p21, 2013. [20]A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer and Y. Weiss, "“Andromaly”: a behavioral malware detection framework for android devices", J Intell Inf Syst, vol. 38, no. 1, pp. 161-190, 2011. [21]L. Dua and D. Bansal, "Review on Mobile Threats and Detection Techniques", International Journal of Distributed and Parallel systems, vol. 5, no. 4, pp. 21-29, 2014. [22]J. Jang, J. Yun, A. Mohaisen, J. Woo and H. Kim, "Detecting and classifying method based on similarity matching of Android malware behavior with profile", SpringerPlus, vol. 5, no. 1, 2016. [23]X. Wang, Y. Yang and Y. Zeng, "Accurate mobile malware detection and classification in the cloud", SpringerPlus, vol. 4, no. 1, 2015. [24]K. R. P. Cavalcanti, E. Viana and F. A. A. Lins, "Security Issues and Solutions for Android-based Mobile Devices", International Journal of Computer Science and Information Security, vol. 13, no. 9, pp. 22-27, 2015.

649
